CVE-2025-26466

CVE-2025-26466, published on 2025-02-28, is a vulnerability in the OpenSSH package affecting the SSH server component. The flaw stems from improper memory management during the handling of ping packets received before key exchange completion. For each ping packet, the server allocates a pong packet in a memory buffer and stores it in a queue, but these are only freed after the server/client key exchange finishes. This allows a malicious client to send repeated ping packets, resulting in uncontrolled memory consumption and potential server unavailability, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The CVSS v3.1 base score is 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network by continuously sending ping packets to the SSH server prior to key exchange. The high attack complexity (AC:H) likely arises from the need to precisely time and sustain the packet flood without triggering other defenses or completing the handshake. Successful exploitation leads to denial of service through memory exhaustion, rendering the server unresponsive, with no impact on confidentiality or integrity.

Mitigation details are provided in vendor advisories, including the Red Hat security bulletin at https://access.redhat.com/security/cve/CVE-2025-26466, the associated Bugzilla report at https://bugzilla.redhat.com/show_bug.cgi?id=2345043, and analyses from Qualys (https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt) and security mailing lists such as oss-sec (https://seclists.org/oss-sec/2025/q1/144) and fulldisclosure (http://seclists.org/fulldisclosure/2025/Feb/18). Security practitioners should consult these for patch availability and workarounds specific to affected OpenSSH versions.